VeeVee Wang created KAFKA-14261:
-----------------------------------
Summary: Dependency Vulnerability Scan Results (Mend/WhiteSource)
Key: KAFKA-14261
URL: https://issues.apache.org/jira/browse/KAFKA-14261
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 3.2.3
Reporter: VeeVee Wang
Attachments: GH_kafka-vulnerability-report.xlsx
The Kafka repository was scanned with Mend's (formerly WhiteSource) SCA
(software composition analysis) tool for 3rd party dependency vulnerabilities.
We scanned Kafka version 3.2.3 on 9/20.
The scan result detected the following instances of vulnerability severities:
* 12 highs
* 12 mediums
* 1 low
We would like to submit the Mend findings (attached to this ticket) as a bug
with the request to update to non-vulnerable library versions. In the attached
spreadsheet, column W "Top Fix" has notes on non-vulnerable versions to upgrade
to.
Is there an SLA or typical amount of time to remediate vulnerabilities in the
Kafka repo?
Thank you.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
